[英]PHP cURL certificate error
I'm attempting to add a custom cer
-certificate to my PHP cURL request, but I keep getting this error: 我正在尝试向我的PHP cURL请求添加自定义cer
-certificate,但是我一直收到此错误:
error setting certificate verify locations:
CAfile: /path/to/my/cert.cer
CApath: none
All I've found about this error is that: 我发现的有关此错误的全部是:
The path is relative. 路径是相对的。
As you can see, I've supplied an absolute path. 如您所见,我提供了一条绝对路径。
The path is erroneous. 路径错误。
I've tried to var_dump(file_exists($certLocation));
我试图去var_dump(file_exists($certLocation));
, which gives me true
, so this is not the case. ,这使我成为true
,所以情况并非如此。
The permissions on the file are incorrect. 该文件的权限不正确。
I've set the permissions to 777
for debugging purposes. 我已将权限设置为777
,以进行调试。 Error remains. 错误仍然存在。
The path to the file doesn't have +x
-permissions somewhere in the chain. 文件路径在链中某处没有+x
权限。
I've set this as well, ensuring that the entire path from root has +x
-permissions, and still no luck. 我也进行了设置,以确保从root开始的整个路径具有+x
权限,并且仍然没有运气。
I'm at a loss here, having tried everything I can find, and fact is, I don't even understand what the error actually means. 我在这里不知所措,尝试了所有可以找到的事实,事实是, 我什至不了解错误的实际含义。 What is a verify location
? 什么是verify location
? All I can understand is that there's an error with loading the file. 我所能理解的是,加载文件时出错。
Any light shed on this is greatly appreciated. 对此,我们深表感谢。 See code example below. 请参见下面的代码示例。
Thanks. 谢谢。
Code I use: 我使用的代码:
<?php
$oCurl = curl_init($this->baseUrl);
curl_setopt($oCurl, CURLOPT_FAILONERROR, 1);
curl_setopt($oCurl, CURLOPT_TIMEOUT, $this->timeout);
curl_setopt($oCurl, CURLOPT_CONNECTTIMEOUT, $this->connectionTimeout);
curl_setopt($oCurl, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($oCurl, CURLOPT_POST, 1);
curl_setopt($oCurl, CURLOPT_SSL_VERIFYPEER, 1);
curl_setopt($oCurl, CURLOPT_SSL_VERIFYHOST, 2);
curl_setopt($oCurl, CURLOPT_CAINFO, "/tmp/cert.cer");
Error: 错误:
error setting certificate verify locations:
CAfile: /tmp/cert.cer
CApath: none
If your PHP installation doesn't have an up-to-date CA root certificate bundle, download the one at the curl website and save it on your server: 如果您的PHP安装中没有最新的CA根证书捆绑包,请在curl网站上下载该证书并将其保存在服务器上:
http://curl.haxx.se/docs/caextract.html http://curl.haxx.se/docs/caextract.html
Then set a path
to it in your php.ini
file, eg on Windows: 然后在您的php.ini
文件中,例如在Windows上,为它设置一个path
:
curl.cainfo=c:\php\cacert.pem
NOTE: 注意:
Turning off CURLOPT_SSL_VERIFYPEER
allows man in the middle (MITM) attacks, which you don't want! 关闭CURLOPT_SSL_VERIFYPEER
允许中间人(MITM)攻击,这是您不希望的!
SRC1 - https://stackoverflow.com/a/14064903/797495 SRC1- https: //stackoverflow.com/a/14064903/797495
SRC2 - http://php.net/manual/en/function.curl-setopt.php#110457 SRC2- http://php.net/manual/zh/function.curl-setopt.php#110457
CURLOPT_CAINFO is used in conjunction with CURLOPT_SSL_VERIFYPEER CURLOPT_CAINFO与CURLOPT_SSL_VERIFYPEER结合使用
CURLOPT_CAINFO
should be set to a CA or CA-bundle in PEM format. 应将CURLOPT_CAINFO
设置为PEM格式的CA或CA捆绑包。 I managed to track the curl code which triggers this error and this is what I found: 我设法跟踪了触发该错误的curl代码,这就是我发现的结果:
in curl/openssl.c : 在curl / openssl.c中 :
if(!SSL_CTX_load_verify_locations(connssl->ctx,
data->set.str[STRING_SSL_CAFILE],
data->set.str[STRING_SSL_CAPATH])) {
if(data->set.ssl.verifypeer) {
/* Fail if we insist on successfully verifying the server. */
failf(data, "error setting certificate verify locations:\n"
" CAfile: %s\n CApath: %s",
data->set.str[STRING_SSL_CAFILE]?
data->set.str[STRING_SSL_CAFILE]: "none",
data->set.str[STRING_SSL_CAPATH]?
data->set.str[STRING_SSL_CAPATH] : "none");
return CURLE_SSL_CACERT_BADFILE;
}
...
Apparently the call on SSL_CTX_load_verify_locations
returns 0
and combined with the fact of having CURLOPT_SSL_VERIFYPEER
set to 1
it triggers the error. 显然,对SSL_CTX_load_verify_locations
的调用返回0
,并与将CURLOPT_SSL_VERIFYPEER
设置为1
的事实相结合,将触发错误。
SSL_CTX_load_verify_locations
is a function from openssl library, and according to the documentation( SSL_CTX_load_verify_locations documentation ), the following statements should be taken into consideration: SSL_CTX_load_verify_locations
是openssl库中的函数,根据文档( SSL_CTX_load_verify_locations文档 ),应考虑以下语句:
"If CAfile is not NULL, it points to a file of CA certificates in PEM format." “如果CAfile不为NULL,则它指向PEM格式的CA证书文件。”
"The CAfile is processed on execution of the SSL_CTX_load_verify_locations() function." “ CAfile是在执行SSL_CTX_load_verify_locations()函数时处理的。
"0 - The operation failed because CAfile and CApath are NULL or the processing at one of the locations specified failed." “ 0-操作失败,因为CAfile和CApath为NULL或在指定位置之一的处理失败。” under RETURN VALUES section 在“ 返回值”部分下
You could try to convert your cer
to a pem
using the following command: 您可以尝试使用以下命令将cer
转换为pem
:
openssl x509 -in /tmp/cert.cer -inform der -outform pem -out /tmp/cert.pem
but I can't guarantee that this will work, because I'm not sure if you even have a proper CA or CA bundle file. 但我不能保证这会成功,因为我不确定您是否拥有正确的CA或CA Bundle文件。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.